1

2

Table of content Introduction Installation Verifying installation Httpd.conf Instances Virtual Hosts Security Tuning Plug-in installation Trouble shooting Uninstalling

3

Introduction to Web Server

A computer program that is responsible for accepting HTTP requests from clients (user agents such as web browsers), and serving them HTTP responses along with optional data contents, which usually are web pages such as HTML documents and linked objects (images, etc.).

Common features Http HTTPS support Logging Authentication Handling of static content Content compression Virtual hosting Large file support

4

5

Historical notes

The world's first web server.

In 1989 Tim Berners-Lee proposed to his employer CERN (European Organization for Nuclear Research) a new project, which had the goal of easing the exchange of information between scientists by using a hypertext system. As a result of the implementation of this project, in 1990 Berners-Lee wrote two programs:

* a browser called WorldWideWeb; * the world's first web server, later known as CERN HTTPd,

which ran on NeXTSTEP.

6

IBM HTTP Server Installation

7

License Agreement

8

Installation Directory

9

Setup Types

10

Make IHS as Windows Service

11

Showing Info Before Instalation

12

Installing…………

13

Installation Completed.

14

IHS Home Dir

15

Start/Stop/Restart HTTP server

In Windows Start the command prompt

e.g.: Start Run Type CMD Enter Go to Http server Bin directory (c:\program files\IBM HTTP Server\

bin\) Use apache.exe to start/stop/restart as below

e.g.: To startapache.exe start To Stop apache.exe stopTo Restart apache.exe restart

In Unix

# /usr/IBMIHS/bin/apachectl start # /usr/IBMIHS/bin/apachectl stop

16

Verifying Web server Installation

17

Verifying Logs post installation

18

Httpd.conf

IHS is configured by placing directives in plain text configuration files. The main configuration file is usually called httpd.conf. The location of this file is set at compile-time, but may be overridden with the -f command line flag. In addition, other configuration files may be added using the Include directive. Any directive may be placed in any of these configuration files. Changes to the main configuration files are only recognized by Apache when it is started or restarted.

Directives in the configuration files are case-insensitive, but arguments to directives are often case sensitive. Lines which begin with the hash character "#" are considered comments, and are ignored. Comments may not be included on a line after a configuration directive. Blank lines and white space occurring before a directive are ignored, so you may indent directives for clarity.

You can check your configuration files for syntax errors without starting the server by using apachectl configtest or the -t command line option.

E.g: # /opt/IBMIHS/bin/apachectl -t /opt/IBMIHS/conf/ins1.conf c:\program files\IBM http server\conf\apache.exe -t opt/IBMIHS/conf/ins1.conf

19

Httpd.conf The Apache HTTP Server configuration file is /etc/httpd/conf/httpd.conf.

The httpd.conf file is well-commented and mostly self-explanatory. Its default configuration works for most situations; however, it is a good idea to become familiar some of the more important configuration options.

Section 1: Global Environment ServerType standalone ServerRoot "/etc/httpd" PidFile /var/run/httpd.pid ResourceConfig /dev/null AccessConfig /dev/null Timeout 300 KeepAlive On MaxKeepAliveRequests 0 KeepAliveTimeout 15 MinSpareServers 16 MaxSpareServers 64 StartServers 16 MaxClients 512 MaxRequestsPerChild 100000

20

Httpd.confPort 80

<IfDefine SSL> Listen 80 Listen 443 </IfDefine>

User www Group www ServerAdmin admin@openna.com ServerName www.openna.com DocumentRoot "/home/httpd/ona“

<Directory "/home/httpd/ona"> Options None AllowOverride None Order allow,deny Allow from all </Directory>

21

Httpd.conf<IfModule mod_dir.c>

DirectoryIndex index.htm index.html index.php index.php3 default.html index.cgi

</IfModule>

#<IfModule mod_include.c> #Include conf/mmap.conf #</IfModule>

ErrorLog /var/log/httpd/error_log LogLevel warn LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%

{User-Agent}i\"" combined SetEnvIf Request_URI \.gif$ gif-image CustomLog /var/log/httpd/access_log combined env=!gif-image

ErrorDocument 500 "The server made a boo boo. ErrorDocument 404 http://192.168.1.1/error.htm ErrorDocument 403 "Access Forbidden -- Go away.

22

Httpd.conf <IfModule mod_setenvif.c> BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 </IfModule> httpd.conf

23

To create New IHS Instance

In IBM HTTP server we can create multiple web instances by coping the httpd.config file .To start the instance use the –f option as belowSyntax: apachectl -k $action -f <path_to_configuration_file>

apache.exe -k $action -f <path_to_configuration_file>

Action Start/stop/restart

For example, the apachectl command is not in your PATH, the IBM HTTP Server installation directory is /opt/IBMIHS, and an alternate configuration file, /opt/IBMIHS/conf/ins1.conf, is used:

E.g: # /opt/IBMIHS/bin/apachectl -k start -f /opt/IBMIHS/conf/ins1.conf c:\program files\IBM http server\conf\apache.exe -k stop -f

opt/IBMIHS/conf/ins1.conf

24

Virtual Host The term Virtual Host refers to the practice of maintaining

more than one server on one machine, as differentiated by their apparent hostname. For example, it is often desirable for companies sharing a web server to have their own domains, with web servers accessible as www.company1.com and www.company2.com, without requiring the user to know any extra path information.

Apache was one of the first servers to support IP-based virtual hosts right out of the box. Versions 1.1 and later of Apache support both, IP-based and name-based virtual hosts (vhosts).

Running several name-based web sites on a single IP address.

Your server has a single IP address, and multiple aliases (CNAMES) point to this machine in DNS. You want to run a web server for www.example1.com and www.example2.org on this machine.

25

Configuring VHOST Add the below syntax on the httpd.conf to configure virtual host on

your IHS webserver

<VirtualHost addr[:port] [addr[:port]] ...> …………

………… </VirtualHost>

e.g:# Listen for virtual host requests on all IP addressesNameVirtualHost *:80

<VirtualHost *:80>DocumentRoot /www/example1ServerName www.example1.com

# Other directives here

</VirtualHost>

26

Example for VHOST Simple name-based vhosting

Setup: The server machine has a primary name server.domain.tld. There are two aliases (CNAMEs) www.domain.tld and www.sub.domain.tld for the address server.domain.tld.

Server configuration: ... Port 80 ServerName server.domain.tld

NameVirtualHost *:80

<VirtualHost *:80> DocumentRoot /www/domain ServerName www.domain.tld

</VirtualHost> <VirtualHost *:80> DocumentRoot /www/subdomain ServerName www.sub.domain.tld

</VirtualHost>

The asterisks match all addresses, so the main server serves no requests. Due to the fact that www.domain.tld is first in the configuration file, it has the highest priority and can be seen as the default or primary server.

27

Authentication Types

HTTP Basic Authentication

HTTP Digest Authentication

HTTPS Client Authentication

Integrating OS Authentication

28

HTTP Basic Authentication

HTTP Basic Authentication, which is based on a username and password, is the authentication mechanism defined in the HTTP/1.0 specification. A web server requests a web client to authenticate the user. As part of the request, the web server passes the realm (a string) in which the user is to be authenticated. The web client obtains the username and the password from the user and transmits them to the web server. The web server then authenticates the user in the specified realm.

Basic Authentication is not a secure authentication protocol. User passwords are sent in simple base64 ENCODING (not ENCRYPTED !), and the target server is not authenticated

29

HTTP Digest Authentication

Like HTTP Basic Authentication, HTTP Digest Authentication authenticates a user based on a username and a password. However the authentication is performed by transmitting the password in an ENCRYPTED form which is much MORE SECURE than the simple base64 encoding used by Basic Authentication

The advantage of this method is that the cleartext password is protected in transmission, it cannot be determined from the digest that is submitted by the client to the server.

30

HTTPS Client Authentication.

End user authentication using HTTPS (HTTP over SSL) is a strong authentication mechanism. This mechanism requires the user to possess a Public Key Certificate (PKC). Currently, PKCs are useful in e-commerce applications and also for a single-sign-on from within the browser. Servlet containers that are not J2EE technology compliant are not required to support the HTTPS protocol.

Client-certificate authentication is a more secure method of authentication than either BASIC or Digest authentication. It uses HTTP over SSL, in which the server and, optionally, the client authenticate one another with Public Key Certificates. Secure Sockets Layer (SSL) provides data encryption, server authentication, and optional client authentication for a TCP/IP connection. It is issued by a trusted organization, which is called a certificate authority (CA), and provides identification for the bearer. Prior to running an application that uses SSL, you must configure SSL support on the server and set up the public key certificate.

31

Configuring HTTPSThe following steps will guide you through the proper set up of SSL within the

IBM HTTP Server:

1. Confirm that the Global Security Kit (GSKit) is installed and meets the minimum requirements

2. Create a key database file and certificates needed to authenticate the Web server during an SSL handshake

3. Enable SSL directives within the IBM HTTP Server configuration file (httpd.conf)

4. Other considerations when enabling SSL directives within the IBM HTTP Server configuration file (httpd.conf)

32

Verifying GSK1. Confirm that the Global Security Kit is installed and meets the minimum requirements

The Global Security Kit (GSKit) is a required component for the Secure Sockets Layer (SSL) enablement within the IBM HTTP Server. Therefore, it is important to confirm that a supported version of the Global Security Kit is installed prior to enabling SSL.

For a complete listing of IBM HTTP Server releases and corresponding Global Security Kit versions, click IBM HTTP Server: Global Security Kit (GSKit) supported versions.

33

Create a key database file and certificates

34

Create a key database

35

Password For KDB

36

New Self Signed Cert

37

Enter Required Information

38

Example

39

Self signed Cert Is done

40

3 Enable SSL directives within the configuration file

41

Access using Https

42

Double Click the lock to test the cert

43

Check for issued name

44

Tuning IHS

Configure the IBM HTTP Server to show a status page:

Edit the IBM HTTP Server httpd.conf file and remove the comment character (#) from the following lines in this file:

#LoadModule status_module, modules/ApacheModuleStatus.dll,

#<Location/server-status> #SetHandler server-status #</Location>

Save the changes and restart the IBM HTTP Server. In a Web browser, go to: http://yourhost/server-status.

Alternatively, click Reload to update status. (Optional) If the browser supports refresh, go to

http://your_host/server-status?refresh=5 to refresh every five seconds.

45

Tuning IHS

All of these Web servers allocate a thread to handle each client connection. Ensuring that enough threads are available for the maximum number of concurrent client connections helps prevent this tier from being a bottleneck. The settings for these Web servers can be tuned by making changes to the httpd.conf file on the Web server system.

You can check the IBM HTTP Server error_log file to see if there are any warnings about having reached the maximum number of clients (MaxClients). There are several parameters, depending on the specific operating system platform, that determine the maximum number of clients the Web server supports.

Support thousands of concurrent clients. It is not unusual for a single IBM HTTP Server system to support thousands of concurrent clients. If your requirements are to support more concurrent clients than the number of threads that are supported by the Web server operating system and hardware, consider using multiple Web servers.

46

Tuning IHS

Change the setting on the Web server's Access logging parameter to reduce the load on the Web server. If you do not need to log every access to the Application Server, change the default value of the Web server's Access logging parameter. This change will reduce the load on the Web server.

Modify the settings of the Load balancing option and Retry interval on Web server plug-in properties to improve performance. You can improve the performance of IBM HTTP Server (with the WebSphere Web server plug-in) by modifying the following Web server plug-in configuration properties:

* Load balancing option, which specifies the load balancing option that the plug-in uses in sending requests to the various application servers associated with that Web server.

47

Plug-in installation

48

License Agreement

49

OS Prerequisites Check

50

Select Your Webserver

51

Select Remote or Local

52

Plug-in installation Location

53

If Local –Apps Server Location

54

Location Of HTTPD.Conf

55

Webserver Definition Name

56

Plug-in Location

57

Installation In Progress

58

Plug-in Installation Completed

59

Httpd.conf comparison After and before plug-in installation

60

Troubleshooting IHS

61

Troubleshooting IHS Connection Refused error message

Symptoms of poor server response time If you notice that server CPU utilization appears low, but client requests for static pages take a long time to service, your server may be running out of server threads to handle requests. This situation results when you have more inbound requests than you have Apache threads to handle those requests. New connections queue in the TCP/IP stack listen queue wait for acceptance from an available thread. As a thread becomes available, it accepts and handles a connection off of the listen queue. Connections can take a long time to reach the top of the listen queue. This condition will be logged in a single error message in the error log: v The message on AIX, Linux, Solaris, or HP-UX platforms is: ?Server reached MaxClients setting, consider raising the MaxClients setting? v The message on Windows operating systems is: ?Server ran out

62

Error Messages

Message: SSL0600S: Unable to connect to session ID cache

Reason: The server was not able to connect to the Session ID caching daemon.

Solution: Verify that the daemon was successfully started Message: SSL0701S: The password was not entered. Reason: The password was not entered on the command line. Solution: Rerun the command with the password added. Message: SSL0702S: Password exceeds the allowed

length of 512. Reason: The password that was entered is longer than the

allowed maximum of 512 characters. Solution: Use a shorter password.

63